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Abstract. Secret sharing schemes create an effective method to safe- 
guard a secret by dividing it among several participants. By using hash 
functions and the herding hashes technique, we first set up a + l,n) 
threshold scheme which is perfect and ideal, and then extend it to schemes 
for any general access structure. The schemes can be further set up as 
proactive or verifiable if necessary. The setup and recovery of the secret 
is efficient due to the fast calculation of the hash function. The proposed 
scheme is fiexible because of the use of existing hash functions. 
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1 Introduction 

A secret sharing scheme has a strong motivation on private key protection. Based 
on Kerchhoffs's principle [T], only the private key in an encryption scheme is the 
secret and not the encryption method itself. When we examine the problem of 
maintaining sensitive information, we will consider two issues: availability and 
secrecy. If only one person keeps the entire secret, then there is a risk that the 
person might lose the secret or the person might not be available when the secret 
is needed. On the other hand the more people who can access the secret, the 
higher the chance the secret will be leaked. A secret sharing scheme (hereafter 
in this paper might be simply referred to as 'scheme') is designed to solve these 
issues by splitting a secret into shares and distributing these shares among a 
group of participants. The secret can only be recovered when the participants of 
an authorized subset join together to combine their shares. 

Secret sharing schemes have applications in the areas of security protocols, for 
example, database security and multiparty computation (MPC). When a client 
wants to have his database outsourced (or so called "Database as a Service") 
to a third party, how to make sensitive information hidden from the server is 
a major concern. One common technique is to encrypt the data before storing 
it in the server. However, queries to the encrypted database are expensive. [5] 
suggested to use a threshold secret sharing scheme to split the data into different 
servers as shares to handle data privacy. MPC was first introduced in Yao's 
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seminal two millionaires's problem [3]. A secure MPC can be defined as n parties 
Pi, P2, . . . , Pn join together to calculate a joint function /(xi, X2, ■ • ■ , a;„), where 
Xi is the private input by Pi, i = 1, . . . , n. After the computation, each Pi will 
know the correct result of / but will not know other a;'s. Secret sharing schemes 
play an important role in secure MPC as secrecy is highly required in such 
computations. For more MPC materials please refer to j^- 

To summarize, a secret sharing scheme is a cryptographic primitive with 
many applications, such as PGP (Pretty Good Privacy) key recovering, visual 
cryptography, threshold cryptography, threshold signature, etc, in addition to 
those discussed above. 

In this paper, we use the herding hashes technique to design a (t + l,n) 
threshold scheme which is perfect and ideal. Then, we show by examples of a hi- 
erarchical threshold scheme and a compartment scheme, that any general access 
structure can be realized. The resulting scheme can be further implemented as 
proactive easily. By adding an additional hash function we can make it verifiable. 
The setup is simple and the secret can be recovered quickly. The implementation 
is flexible as we can make use of existing hash functions. 

The rest of paper is organized as follows. In Section 2 and Section 3 we review 
cryptographic hash functions and secret sharing schemes. Section 4 analyzes the 
complexity of the proposed scheme, and shows how to make the implementation 
practical. Then, we present several secret sharing scheme setups for illustration. 
In Section 5 we outline an implementation plan. In section 6 we conclude the 
paper and summarize the advantages of the proposed schemes. 

2 Cryptographic hash functions 

2.1 Iterative hash functions and multicollisions 

A cryptographic hash function H takes an input message AI of arbitrarily length 
and outputs a fixed-length string h. The output h is called the hash or message 
digest of the message M. It should be fast, preimage, second preimage and 
collision resistant. Please refer to the textbooks, such as 5 6, for the details. 

An iterative hash function H is basically built from iterations of a com- 
pression function C using the Merkle-Damgard construction [7 8 . Briefly, the 
construction repeatedly applies the compression function as follows, (a) Pad 
the arbitrary length message M into multiple u-bit blocks: mi, m2, . . . , mi,, (b) 
Iterate the compression function hi — C{hi^i,mi), where hi and hi-i are inter- 
mediate hashes of u-bit strings, Hq is the initial value (or initial vector) IV, and 
i {1 < i < h) \s an integer, (c) Output /if, as the hash of the message M, i.e., 

F(M) = /ib = C(/i6-i,TO6). 

Suppose we apply the birthday attack to get b pairs of blocks {mi, m'l), . . . , (mj,, 
such that 

hi = C{hi^i,mi) = C{hi^i,m'^,i = !,...,&. (1) 

By enumerating all possible combinations of these 6-pairs blocks with each pair 
containing two choices, we can build up 2'' colliding messages as follows (see 
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Fig. [1}. Since it takes 2"/^ steps for finding one pair of blocks, this process takes 
approximately b x 2"/^ steps. So, it is relatively easy to find multi-collisions in 
an iterative hash function. Please refer to |6|9) for the details. 
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Fig. 1. Multicollisions in iterative hash functions. 



2.2 Herding and Nostradamus attack 

Kelsey and Kohno [10] have a detailed analysis of this attack. Stevens, Lenstra 
and Weger [TT] applied the technique to predict the winner of the 2008 US 
Presidential Elections using a Sony PlayStation 3 in November 2007. We first 
build a large set of intermediate hashes at the first level: hn, hi2, . . . , Then 
message blocks are generated, so that they are linked and each intermediate hash 
at level 1 can reach the final hash, say h. This is called the diamond structure 
(see Fig. [2]) . We claim we can predict that something will happen in the future 
by announcing the final hash to the public. When the result is available, we 
construct a message as follows: 

M = Prefix|jAf*||Suffix, (2) 

where "Prefix" contains the results that we claimed we knew before it happens. 
M* is a message block which links the "Prefix" to one of the intermediate hashes 
at level 1. "SufRx" is the rest of message blocks which linked the M* to the final 
hash. In the example of Fig.[51 M — Prefix|| A/* ||Suffix, Suffix = mi5||m23||TO32, 
and H{M) = /141 = h. 

3 Secret sharing schemes 

Based on a {t + 1, n) threshold scheme, many properties of secret sharing schemes 
can be easily demonstrated. It has a simple access structure and basis (Section 
3.2). It is perfect and ideal (Section 3.3) and can be further implemented as 
proactive (Section 3.4) or verifiable (Section 3.5). Also, the distribution of the 
shares and recovery of the secret are through polynomial evaluation and poly- 
nomial interpolation, respectively, which are easy to follow. 
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Fig. 2. A simplified diamond structure to illustrate Nostradamus attack. 

3.1 A (t + l,n) threshold scheme 

In 1979 Shamir [12] proposed a (t + 1, n) threshold scheme, under which each of 
the n participants Pi , P2 , • • ■ , -Pn receives a share of the secret and any group of 
t + 1 or more participants {t <n — \) can recover the secret. Any group of fewer 
than i + 1 participants cannot recover the secret. The concept used by Shamir 
is based on Lagrange polynomial interpolation. We generate a polynomial of 
degree at most t over Zg, where g is a large prime number {q > n>t -\- 1). The 
coefhcients, Of , . . . , ai ^'Lq^ are generated randomly and ao G TLq is the secret. 

P{x) — atx* + at-ix*^^ + . . . + aix^ + qq (mod q). (3) 

The dealer arbitrarily chooses different Xi E Zq — {0}, i — 1, 2, . . . , n, and 
stores them in a public area. The corresponding shares P(a:i)(mod q) are then 
calculated and distributed to the participants privately, so that each participant 
gets a share of the secret. By the polynomial interpolation given any t + 1 points 
the polynomial coefficients can be recovered, hence the constant term oq which 
is the secret. Note that we want the n points to be all different to each other 
and the coefficients must be from the field Zq to make sure we can recover the 
original polynomial. Here, we don't want to give out the point P(0), because 
P(0) is the secret itself. 

3.2 Access structure 

Continuing with the construction above, it is reasonable to assume that any 
number of greater than t+1 participants can always recover the secret. We call 
this property monotone. A group of participants, which can recover the secret 
when they join together, is called an authorized subset. In a (t + 1, n) threshold 
scheme, any group of i + 1 or more participants forms an authorized subset. On 
the other hand, any group of participants that cannot recover the secret is called 
an unauthorized subset. An access structure P is a set of all authorized subsets. 
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Given any access structure F, A G F is called a minimal authorized subset 
ii B C A then B ^ F. We use Fq, for the basis of F, to denote the set of all 
minimal authorized subsets of F. In a (i + l,n) threshold scheme, let P be the 
set of the participants: 



In secret sharing, we first define the access structure. Then, we realize the 
access structure by a secret sharing scheme. For instance, Shamir's (t + 
threshold scheme realizes the access structure defined in Eq.4. 

3.3 Perfect and ideal scheme 

Shamir's scheme does not allow partial information to be given out even up to 
t participants joining together |5j. A scheme with such a property is called a 
perfect secret sharing scheme. Based on information theory, the length of any 
share must be at least as long as the secret itself in order to have perfect secrecy. 
The argument for this is that up to t participants have zero information under 
the perfect sharing scheme, but when one extra participant joins the group, the 
secret can be recovered. That means any participant has his share at least as 
long as the secret. If the shares and the secret come from the same domain, we 
call it an ideal secret sharing scheme. In this case, the shares and the secret have 
the same size. 

3.4 Proactive scheme 

In a secret sharing scheme, we need to consider the possibility that an active 
adversary may find out all the shares in an authorized subset to discover the 
secret eventually if he is allowed to have a very long time to gather the necessary 
information. In order to prevent this from happening, we refresh and redistribute 
new shares to all the participants periodically. After finishing this phase, the 
old shares are erased safely. The secret remains unchanged. By doing so, the 
information gathered by the adversary between two resets would be useless. In 
order to break the system an adversary has to get enough information regarding 
the shares within any two periodic resets. 

Based on Shamir's scheme, Herzberg, Jarecki , Krawczyk, and Yung [T3] 
derived a proactive scheme, which uses the following method to renew the shares. 
In addition to P{x) of Eq.3, the dealer generates another polynomial Q{x) of 
degree at most t over Zg without the constant term (i.e., bo = 0), 



where bi, . . . ,bt £ Zq. Then add P{x) and Q{x) together to get the sum R{x) as 



F = {A \ AC P a.nd\A\> {t + 1)}, 
Fo = {A\A<ZP and \A\ = {t + 1)}. 



(4) 

(5) 



Q{x) = btx* + bt-ix* ^ + . .. + bix (mod q), 



(6) 



R{x) = Ctx* + Ct-ix* ^ + . . . + cix + ao (mod q) 



(7) 
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where Ci = + hi (mod q) for i — 1, . . . ,t. 

The dealer then sends out new shares R{1) , R{2) , . . . , R{n) to the n par- 
ticipants to replace the old shares P{0), P{i), ■ • ■ , P{n). It remains a {t + 1, n) 
threshold scheme with the same original secret. 

The above technique can be extended so that all the participants can engage 
in the shares renewal process. This method can eliminate the situation where all 
the work is done by the dealer, and the scheme will be more secure. 

3.5 Verifiable sciieme 

In reality, we need to consider the situation that the dealer or some of the 
participants might be malicious. In this case, we need to set up a verifiable 
secret sharing scheme so that the validity of the shares can be verified. Here we 
discuss Feldman's scheme [M] which is a simple verifiable secret sharing scheme 
based on Shamir's scheme. Also see [TS] for another reference. 

The idea is to find a cyclic group G of order q where g is a prime. Since it 
is cyclic, a generator of G, say g, exists. As other cryptographic protocols, we 
assume the parameters of G are carefully chosen so that the discrete logarithm 
problem is hard to solve in G. Let p, q be primes such that q divides {p— 1) , 5 G Z* 
of order q. The dealer generates a polynomial P{x) over of degree at most t as 
shown in Eq.3, and sends out P{i) to participant i as before. In addition to this, 
he also broadcast in a public channel the commitments: (mod p), i = 1, . . . , n. 
Each participant i will verify if the following equation is true. 

g'^'-'^ ^{g^'^g^'Yig^'f ■■■{g'^'f (modp),* = (8) 

Based on the homomorphic properties of the exponentiation, the above con- 
dition will hold true if the dealer sends out consistent information. Later, when 
the participants return their shares for secret recovering, the dealer can also 
verify their shares by the same method. Feldman's scheme is not perfect since 
partial information about the secret, g"", is leaked out. However we assume it is 
difficult to get the secret oq from g"" if the discrete logarithm problem is hard 
to solve under G. 

4 Hash function based secret sharing scheme designs 
4.1 Related work 

Zheng, Hardjono and Seberry [16] discuss how to reuse shares in a secret sharing 
scheme by using the universal hash function. Chum and Zhang |17I18| show 
how to apply hash functions to Latin square based secret sharing schemes for 
improvements. In this paper, we extend idea of herding and Nostradamus attacks 
|10| to any secret sharing scheme. We propose how to speed up the process and 
hence make it practical. An outline of the implementation is also suggested. 

One direction for research in secret sharing schemes is to reduce the size of the 
shares. One approach is to use a ramp scheme [19|20j . However, the limitation 
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of a ramp scheme is that it leaks partial information. If we want the scheme to 
be perfect as aforementioned, the size of the share should be at least as long 
as the size of the secret. It has been shown that there are no ideal schemes for 
certain access structures. Please refer to [21.22.23] for examples. That means at 
least one participant needs to hold a share whose size is longer than the secret. 
Here we want to set up an ideal scheme for any access structure with the aid 
of a public area which is justified, because of its relatively low cost to maintain. 
As long as no one can change or destroy the public area it will work. To be 
explained later, the public area does not help any authorized subset, with just 
one participant missing, to recover the secret is easier than an outsider if the 
length of the share is the same as that of the hash. From the public area, we 
can only identify which group of participants can be joined together to recover 
the secret. In general, this is not a problem. In reality, should a secret need to 
be accessed, we know who should be contacted. Our scheme is flexible and fast 
because it makes use of the properties of the existing hash functions. 

4.2 A simplified diamond structure 

In the proposed new scheme we set up one message Mpriv for one authorized 
subset. After building a diamond structure, all the Mprm^ will be herded to a 
final hash h, which is the secret. That means any authorized subset can recover 
the secret by their private shares and the corresponding public information (see 
Fig. El). More details are in the next section. 




Fig. 3. Any authorized subset will herd to the final hash, i.e. the secret. 

Based on the birthday attack the complexity of building a diamond structure 
for our scheme is exponential, too expensive to implement. We will show how 
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to avoid such complexity and make the scheme efficient and practical in next 
section. 



4.3 Newly proposed scheme 
A. Setup 

(a) We randomly generate a share of the same size as that of the hash to each 
participant. Suppose there are n participants, then share Si will be assigned to 
participant Pi, i — 1, . . . ,n. 

(b) We determine all the minimal authorized subsets. Suppose we have 
Ai, . . . , Aw minimal authorized subsets. Each participant holds a share and com- 
bination of the shares of any one of these w authorized subsets will form a private 
message Mpriv ■ The combination will be the concatenation of the shares in par- 
ticipant sequence. For example, if an authorized subset consists of Pi,P3 and 
P4, then Mpriv = Si||s3||s4. 

(c) Calculate the hashes for the following 

H{Mprivi) ^ hi, i ^ I, . . . ,w. (9) 

Let h be the secret and of the same size of hi. If we want the secret to be 
random, we can set h to one of the hi. Or /i is a pre-determined fixed secret. We 
continue to generate a control Ci as follows (here ® is bitwise exclusive OR): 

Ci — hi (B h, i — 1, . . . ,w. (10) 

To summarize, after the setup process each participant Pi gets a random 
share Si,i = 1, . . . ,n. Public information Ci, where i — 1, . . . ,w, is generated. 
Control area c^'s help to herd all the intermediate hashes /i^'s to the final hash 
h. This eliminates the complexity of building a diamond structure. 

B. Secret recovering 

Suppose authorized subset Ai consists of participants Pi, . . . , Pf,. Joining to- 
gether they can recovery the secret as follows, see Fig. SI 

1) Get the public information Ci. 

2) i?(si||s2|| . . . ||sb) = hi, and hi ® a ^ h. 



M 



pnVi 











H(MpnvJ 













h.ecrwh 



Fig. 4. Secret recovery by combination of private and public information. 
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Fig. 5. Secret recovery for any authorized subset. 



This appHes to any authorized subset, see Fig. [5l 

C. Performance 

In the setup step the operations involved are generation of random shares 
si, . . . , s,i, calculation of hashes hi — H{Mprivi), and generation of control area 
Ci,i = 1,2, ... ,w. In the secret recovering step, assuming participants of autho- 
rized subset Ai join together, we just need to calculate the hash (i.e., secret) by 
h = H (Mprivi) © Ci. All the operations during the setup and secret recovering 
are efficient. This makes the proposed scheme practical. 

D. Properties of the proposed scheme 

a) Perfect: Based on randomness of a hash function, any participant cannot 
figure out any information about the hash from his/her share. Suppose a 
participant in a minimal authorized subset is missing, the randomness prop- 
erty makes it impossible to recover his/her share directly. Brute force is the 
only way to determine the share of the missing participant. However, the rest 
of the participants cannot rule out any possibility of the value of the share, 
as each guessed value can be combined with their shares come up to a valid 
hash. So, in the worst case, they need to try 2l*l times. On the other hand, an 
outsider needs to try 2 1'*' times. If we choose the size of the share s as same as 
that of the hash h, any authorized subset with just one participant missing 
does not have any additional information to help them do better than any 
outsider. 

b) Ideal: Each participant holds one share which has the same size of the hash. 
The smaller the size of the shares \s\, the more efficient the scheme would be. 
However, as discussed above, any authorized subset with just one participant 
missing can recover the hash by trying at most 2^^^ times. That means they 
can break the system more easily than an outsider if |s| is smaller than \h\. 
On the other hand, it will not increase the security level by setting \s\ larger 
than \h\. By brute force, any outsider can try at most 2l^l times to recover 
the secret. 
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c) Fast setup and recovery of the secret: The calculation of hash function is 
fast. No complicated or intensive computation, such as polynomial evalua- 
tion/interpolation, is needed. 

d) Application of minimal authorized subset: As we explained earlier, we can 
speed up the whole process by considering the minimal authorized subset 
only. 

e) General access structure: As we shall see in the following examples, this ap- 
proach can be extended to any general access structure. 

f) Flexible: A hash function can handle any message of arbitrary length so there 
is no limit to the number of participants. We can always change to a new and 
better hash function should it become available. For example, we use SHA-2 
now, when SHA-3 is available we can switch to it. 

g) No special hardware or software is required: For example, no need to handle 
a large number or find a large prime, etc. 

4.4 Set up an ideal perfect (t + l,n) threshold scheme 

As we mentioned before, a {t+l,n) threshold scheme has a simple access struc- 
ture. Based on the monotone property, we only need to consider N = C{n, t + 1) 
minimal authorized subset only. Here, 

Example: A (2, 3) threshold scheme 

Let si, S2, and S3 be shares of participants Pi, P2, and P3, respectively. Then, 
the access structure consists of three (N = 3 by the Eq.ll) minimal authorized 
subsets Ai,A2 and A3. The controls ci, 02,03 will be stored in the public area, 
see Fig. [S) 



a) Ai 

b) A2 

c) As 



{Pi,P2} si||s2; Ci 

{Pl,F3} S1IIS3; C2 

{^2,^3} S2IIS3; C3 



4.5 Set up an ideal perfect scheme for general access structure 

Our herding hashes technique discussed above can be used to set up a secret 
sharing scheme for any general access structure. Here, we illustrate a hierarchical 
threshold scheme and a compartment scheme as follows. 

Hierarchical threshold scheme The following is the conjunctive hierarchical 
scheme proposed by Tassa j24]. Let U be the set of n participants. U is divided 
into m levels: 



C/ = C/i U C/2 U . . . U f/™ and f/j n f/j = 0,Vi, j : I < i < j < m. (12) 
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A 



H(sJ|S2) 





H(SJ|S3) 



h 




H(S2||S3) 



Cj is public information for A, 



Fig. 6. A (2, 3) threshold scheme example. 



Instead of just assigning a threshold number fc as a regular secret sharing 
scheme, a set of numbers k = {fci, . . . , km} in a strictly increasing order is set 
up: < /ci < /c2 < ■ ■ • < fcm- Then, the {k,n) hierarchical threshold access 
structure is: 



T = {vcu\ \vr]{UiU...LiUi)\>hyie{i,...,m}}. (13) 



So if V is an authorized subset, then: 

the number of participants in V at level I > ki 
AND the number of participants in V at level 1, 2 > fc2 



AND the number of participants in V at level 1, . . . , to > km- 

If we just require any one of the above conditions to be true at any level, 
we can simply change AND to OR, then, we will get a disjunctive hierarchical 
secret sharing scheme which is originally proposed by Simmons |25j . 

Example: Conjunctive hierarchical secret sharing scheme 

Let U ~ {Pi, P2, P3, Pi, P5, Pe} be the set of the participants. There are three 
levels, Ui = {Pi,P2} for level 1, U2 = {P3,P4} for level 2, U3 = {P5,P6} for 
level 3, and {fci,fc2,fc3} = {1,2,3}. Based on /q, the set of minimal authorized 
subsets, we have the following setup, where Si is the corresponding share for Pi 
and Ci's are the corresponding public information, ^^'s are authorized subsets. 



a) Ai 


{Pl,P3,P5} 


Si 


\S3\ 


\S5 


Cl 


b) A2 


{Pi,P3,Pe} 


Si 


\S3\ 


\S6 


C2 


c) A3 


{Pl,P4,P5} 


Si 


\S4\ 


\S5 


C3 


d) A4 


{Pi,P4,Pe} 


Si 


\S4\ 


\S6 


C4 


e) A5 


{Pl,P3,P4} 


Si 


kal 


|S4 


C5 


f) Ae 


{P2,P3,P5} 


S2 


\S3\ 


[55 


C6 


g) ^7 


{P2,P3,P6} 


S2 


\S3\ 


|S6 


C7 



AND 
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{^^2,^4,^5} 

m,P3,P4} 
{PuP2,P3} 

{Pl,P2,P5} 



S2IIS4IIS5; 
S2||S4||S6; 
S2IIS3IIS4; 

•S1||S2||S4; 
Sl|ls2||s5; 
S1||S2||S6; 



C8 

cg 

ClO 
Cll 

C12 

Cl3 
Ci4 



Compartment scheme Compartment scheme works as follows. Let U be 
the set of n participants, and U is divided into m compartments: U — U1UU2U 
. . . U Um and Ui CiUj — for alH, j : 1 < i < j < m. 

There is a threshold assigned to each group, say ti for Ui, t2 for U2, etc. An 
authorized subset will: 

a) contain at least ti participants in Ui (an individual threshold scheme for group 
Ui); 

b) contain at least t participants (an overall threshold scheme). 
Example: Compartment secret sharing scheme 

Let U = {Pi, P2, ■ ■ ■ , Pe} be the set of the participants, three compartments 
Ui = {Pi, P2}, U2 ~ {P3, P4} and U3 — {P5, Pe}- We want at least 1 participant 
from each compartment and 4 participants overall. Once we determine the Pq, 
the implementation will be straightforward. 



a) 


Ai 




P2 


P3, 


A} 


Si 


|S2 


|S3| 


\S5 


Cl 


b) 


A2 


m, 


P2 


P3, 


^6} 


Si 


|S2 


|S3| 


|S6 


C2 


c) 


A3 


m, 


P2 


Pi, 


A} 


Si 


IS2I 


S4 


|S5 


C3 


d) 


Ai 


m, 


P2 


Pi, 


^6} 


Si 


\S2\ 


|S4 


|S6 


C4 


e) 


A5 


m, 


P3 


Pi, 


A} 


Si 


|S3 


|S4 


|S5 


C5 


f) 


Aq 


m, 


P3 


Pi, 


^6} 


Si 


|S3| 


|S4 


|S6 


C6 


g) 


Ai 


{Pi, 


P3 


Pi, 


^5} 


S2 


k3| 


|S4 


[55 


C7 


h) 


A^ 


{Pi, 


P3 


Pi, 


^6} 


S2 


|S3| 


|S4 


|S6 


C8 


i) 




m, 


P3 


P5, 


^6} 


Si 


\S3\ 


|S5 


|S6 


Cg 


j) 




: {A 


Pi 


P5 


^6} 


Si 


|S4 


\S5 


|S6 


ClO 


k) 


All 


: {Pi 


P3 


P5 


^6} 


S2 


|S3 


\S5 


|S6 


Cll 


1) 


^12 


■■ {Pi 


Pi 


P5 


^6} 


S2 


S4 


\S5 


|S6 


C12 



4.6 Set up a verifiable scheme for general access structure 

Let /, g be cryptographic hash functions. The dealer generates shares si, S2, ■ • ■ , 
and distributes each share to each participant and then publishes the hashes (by 
hash function g) of each share as commitments: gi,g2, ■ ■ ■■ Participant i verifies 
his or her share by checking if g(mi) = gi holds. If all participants confirm that 
taking his or her share as input to the hash function g, he or she gets the hash 
value equal to one of the commitments published by the dealer, we conclude the 
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dealer sends out consistent shares. Likewise, when the participants return their 
shares, the dealer can verify in the same way. 

Hash function g is used to make the scheme verifiable. Hash function / is 
used as H in 4.3 for the scheme. Partial information was given out here, however, 
if g is preimagc resistant, it would be infeasible to find the original share Sj 
from gi. Participant i can fool the party if he or she can find s\ such that 
= ff(si) = Qi- However, this is also extremely difficult to achieve if g is 
second preimage resistant. 

4.7 Set up a proactive scheme 

We pick up any authorized subset to recover the secret /i, then repeat the pro- 
cess to generate and re-distribute new shares s'i,s'2, — Based on the secret h 
and the newly generated shares s'j,S2,..., we determine and update the new 

public control information c'^.c^, Finally we delete the secret h. So shares 

are refreshed and the secret remains unchanged. 

5 Implementation plan 

Suppose there are n participants Pi , . . . , P„ and w minimal authorized subsets 
Ax,. . . , Ayj for a given access structure. Let H be the hash function for the im- 
plementation. The secret stores in a variable h, which has the same size as the 
output hash of H. 

(a) If the secret is fixed, input and store it in h. Otherwise skip this step. 

(b) FORi = l,...,n 

Generate randomly Sj for Pi 
ENDFOR 

(c) FORi ^l,...,w 

Construct Mp^iy^ based on shares of participants in in participant 

sequence 

hi = H{Mprivi) 

If z = 1 and h is empty, then h = hi /* If no input secret, set the 
secret to the first randomly generated intermediate hash hi. */ 

Ci = hi (£) h 

Ki = concatenation of the ordered indices of participants in Ai 
Write Ci in public area based on key Ki 
ENDFOR 



(d) FOR i = l,...,n 

Send Si to Pi privately 
ENDFOR 
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(e) Delete all Si (shares) and the h (secret). 
After the implementation: 

1) We create the following (see Fig. [T]) 

i) private shares for participants: Si, . . . , s„. 

ii) public information ci , . . . , Cu, . 

2) Any authorized subset Ai can form key Ki to get the corresponding to 
recover the secret (see 4.3B). 



Private shares Public area 



Each private share s^ 
is l<ept privately by P^ 









■ 











Fig. 7. Shares for participants and public area. 



6 Conclusion 

This paper shows how to design various secret sharing schemes based on cryp- 
tographic hash functions so that any general access structure can be realized as 
perfect and ideal. The implementation is simple and efficient as we make use of 
the existing hash functions. The share distribution and secret recovery can be 
done quickly due to fast calculation of hash functions. We can further implement 
these schemes as proactive and, or verifiable if required. 
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